As I headed out to the elevator lobby, I mused over the all the resources that had been consumed for that half-hour presentation. Granted, when you are a vendor or service provider, you are always at the mercy of your customers' schedules. However, there were aspects of this situation I found truly wasteful.
First and foremost, I have always felt that having someone make your travel arrangements is only effective for the most senior people in large companies. These executives turn over their entire scheduling process to an assistant who knows their work and private life intimately and tracks every waking moment. However, for most everyone else, it seems an uneconomical luxury.
In this case, Ellen had to play the role of middleman, transferring questions and responses between two parties who should have simply linked up directly. The airline representative would have put forth the options, and Julie would have been able to quickly decide among the alternatives. Not only would this have eliminated all the back- and-forth telephone calls and voice mails, it would have freed up Ellen to complete the sales reports on time.
When looking at the waste, it's important to consider all the other incidentals that became part of that trip. In addition to the pre-travel planning and mid-travel changes, the days that followed required time to work on refunds and expense reports. It was undoubtedly a very costly half-hour meeting.
I am not sure that's exactly how Julie assessed it. We are all confronted with episodes like Julie's excellent adventure; they are often one aspect of our job. Certainly, she didn't plan to waste that much time and effort, but an objective look at the cost-benefit ratio would be an eye opener. I refer to it as someone who is busy being busy. Unless you take the time to professionally evaluate these processes, it's easy to mistake this time- consuming activity for accomplishment.
Many security programs I have had the privilege to review also suffer from a certain amount of this busy work. It's in the nature of all large tasks. In last month's column, we discussed the importance of having a plan, not merely a story. If you've already taken that advice and have a sound plan, then the key for you now is ensuring that you are not busy just being busy.
A critical part of your plan will be a set of objectives with realistic timelines. One government chief information security officer I know even ensures his subordinates are effectively meeting planned objectives by maintaining a chart that tracks progress in all the identified areas. It is a simple matrix diagram with green, yellow and red squares that identify if an objective is on track (green), needs scrutiny (yellow), or is behind schedule (red). This chart forms the basis for many of his meetings.
If you think this means you will eventually complete your job and be able to relax or retire, forget it. In the security business, there are always vulnerabilities to assess and threats to analyze. New telecommunications systems, corporate acquisitions and emerging threats will be there to ensure none of us will ever enjoy the luxury of professional boredom. But if you are able to identify the security-relevant aspects of these changing environments and build a plan to address the challenges they bring, you can focus on those activities that most effectively mitigate your organizational risks. By tying your activities to milestones in the plan, you can ensure you're focused on those key accomplishments that drive your security program.
Certainly, there are many daily activities that can dramatically impact your productivity. However, if you have a plan and track key milestones, you are in a better position to demonstrate your ability to design, implement and manage a complex security program. You will be busy, but you will be busy about the job of protecting critical company assets.
John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at firstname.lastname@example.org.